adding an event on interpreted procs outbound network activity

[h4l0gen]

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind documentation

/kind tests

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area commands

/area pkg

/area events

What this PR does / why we need it:
this triggers rule interpreted procs outbound network activity
Which issue(s) this PR fixes:

Fixes #152

Special notes for your reviewer:

[h4l0gen]

@leogr @FedeDP Here I created a new helper action OutboundConnection. This rule triggered successfully

[h4l0gen]

Before proceeding with this PR, I would like to discuss these two points :

• In outbound_connection.go, an important condition is to establish connection as per outbound_connection macro condition. For testing purposes, I used Google's public DNS server (8.8.8.8:53)(rule triggered on using this). What do you think about using this DNS server?
• Sending written data is not required to trigger this rule; the important thing is a successful connection. I included this part (sending written data) in action, to establish a connection only. If you prefer, we can remove this part.

[leogr]

quick look, just left preliminary comments.

PS
I like the helper 👍

[leogr]

re:

Sending written data is not required to trigger this rule; the important thing is a successful connection. I included this part (sending written data) in action, to establish a connection only. If you prefer, we can remove this part.

I've no strong opinion. I'd avoid bothering 3rd-party service, if possible.
@FedeDP wdyt?

[FedeDP]

Agree, since the rule triggers without the data being actually written, we should just skip this part.

[h4l0gen]

@FedeDP @leogr made changes.

[leogr]

hey @h4l0gen

have you tried the latest implementation? does it still trigger the rule? 🤔

[leogr]

which part of this macro condition is meeting?

- macro: outbound
  condition: >
    (((evt.type = connect and evt.dir=<) or
      (evt.type in (sendto,sendmsg) and evt.dir=< and
       fd.l4proto != tcp and fd.connected=false and fd.name_changed=true)) and
     (fd.typechar = 4 or fd.typechar = 6) and
     (fd.ip != "0.0.0.0" and fd.net != "127.0.0.0/8" and not fd.snet in (rfc_1918_addresses)) and
     (evt.rawres >= 0 or evt.res = EINPROGRESS))

[h4l0gen]

Hii @leogr. Yes rule triggered successfully after changes too.

[h4l0gen]

This is how macro condition got satisfied:

• As we used net.Dial method, which performs outbound connection hence (evt.type = connect and evt.dir=<) is satisfied.
• UDP connectuon is used.
• Using example.net not RFC 1918 addresses (private IP range)

[poiana]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: h4l0gen, leogr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [leogr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[poiana]

LGTM label has been added.

Git tree hash: b75de9ef16e6312348f0bff9b3d60ffb1b31ba91